12

What is the benefit of using ITK module instead of Suexec running Apache server? The idea is the same, which is to run scripts with owner privileges instead of nobody, www or apache!

Is it better to use ITK in favor of suexec? If so, why? What about security and performance in comparison?

Ilia Ross
  • 13,086
  • 11
  • 53
  • 88

1 Answers1

22

MPM-ITK allows you to run Apache with per-user credentials instead of under the Apache user/group. Suexec runs scripts as CGI under a specific user/group, but the static files served by Apache still need more open permissions to be accessed.

MPM-ITK allows all Apache modules (mod_php, etc) to run under a specific user:group with the static files having the same permissions as the scripts. The main downside is Apache's control process has to run as root (with reduced privileges) so it can switch to any user after the request is parsed. Suexec does not have this security risk, but it is only a solution for script execution (not website content isolation).

Here is a blog post with a good summary regarding MPM-ITK vs Suexec and other solutions. The author accepts the security implications of MPM-ITK with the opinion that it out-weighs the drawbacks of the competing solutions. I do not agree with the author that an Apache exploit is less likely to succeed just because the MPM-ITK patch is in use, so I would recommend staying up to date on your security patches (we should anyway, right?) if you are willing to accept the security risk to get the per-user benefit.

In summary, MPM-ITK vs Suexec is really a per-situation decision. The only solution beyond MPM-ITK is per-user Apache instances behind a reverse proxy, if server resources are not a concern. Read more about that here: http://wiki.apache.org/httpd/ExtendingPrivilegeSeparation

jimp
  • 16,999
  • 3
  • 27
  • 36
  • 1
    Thank a lot for your effort! I have read that article already and it seems that it's the only ITK related summary out there! :) I understand everything but one thing, when we say that `ITK runs ALL processes as root` and then spawns them as user specific - is this theoretical threat in case of Apache unknown vulnerability? It's not possible to get back to root after you are spawned as a specific user, right? – Ilia Ross Jun 03 '13 at 07:51
  • 2
    Correct. The control process runs as root, with reduced privileges, and forks per request and switches to the correct user:group. The forked processes cannot change back to root. [According to the MPM-ITK author:](http://mpm-itk.sesse.net/) "Since mpm-itk has to be able to setuid(), it runs as root (although restricted with POSIX capabilities and seccomp v2 where possible) until the request is parsed and the vhost determined. This means that any code execution hole before the request is parsed will be a potential root security hole. (The most likely place is probably in mod_ssl.)" – jimp Jun 03 '13 at 14:41
  • 1
    The summary, in case I'm correct: Keeping suexec for the most security and using ITK for speed but having imaginable but not proven possibility of potential root security hole? What makes you think it's mod_ssl? Have you tried to compromise it? Have you heard that anybody could comprise it? – Ilia Ross Jun 11 '13 at 07:46
  • Old question, but I just wanted to add that the comment regarding ways to exploit a potential security root comes from the official website: http://mpm-itk.sesse.net/ – Olivier - interfaSys Aug 05 '14 at 07:58
  • 1
    @IliaRostovtsev I haven't tried to compromise it. Like Olivier said, the MPM-ITK website suggests mod_ssl is the most likely location for an exploit to be possible. We have been using it for 5+ years now in my business and I haven't heard of anyone compromising it. If you are particularly concerned, you could use it on servers behind a proxy, which could reduce the risk of a direct attack because deliberate protocol violations likely couldn't reach the ITK machines. – jimp Aug 05 '14 at 19:06
  • 2
    Sadly the link to the comparison article http://mitka.us/articles/mpm-itk/ is now gone. Can you recommend another? – Steve Oct 21 '14 at 03:55
  • 2
    bit late, but for a record and for others: archive.org is your friend https://web.archive.org/web/20061030122639/http://mitka.us/articles/mpm-itk/ – Marcin Orlowski Jul 02 '15 at 23:14